slsa icon indicating copy to clipboard operation
slsa copied to clipboard
verified publisher icon slsa-framework

content: update source-track objective to reference revisions and provenance.

Open zachariahcox opened this issue 1 year ago • 1 comments

fixes https://github.com/slsa-framework/slsa/issues/1072

Context

Based on discussion from https://github.com/slsa-framework/slsa/pull/1037

See discussion here.

Copied from draft proposal here.

Google document requires [email protected] membership.

Source revision provenance

Repos contain many revisions, most of which are not "official" or otherwise approved for release.
The goal of the source track is to attest to why a specific revision was approved for release.

We can think of the SCP / code review tool as “building” the next official revision of a repository using a codified process that involves collecting commits, acquiring reviews, running CI, etc. If the change review process is successful, the code review tooling will merge the code changes and attest to the process used to produce the new revision.

The source provenance attestations associate a specific revision of a repository to security claims and documents (basically build logs) of the process that produced it.

In GitHub terms, a merged pull request and its associated rules evaluation justify why and how a specific git SHA is reachable from a protected branch.

Example Scenario

  1. A CI system is trying to build some artifact and will download all necessary resources, including repos and packages.
  2. After download, the system will proceed to verify all fetched resources.
    1. For package artifacts, it takes the hash and looks for build provenance attestations from sigstore or github.
    2. For source artifacts that are not packaged (EG, cloned via git), it takes the revision id and looks for the source provenance from sigstore or github.
  3. Based on the claims in the provenance attestations, the CI system can determine if all resources comply with required policy and choose to proceed.

zachariahcox avatar Jun 28 '24 17:06 zachariahcox

Deploy Preview for slsa ready!

Name Link
Latest commit 20cb12da377629843b24867bfb985e5a74c4055c
Latest deploy log https://app.netlify.com/sites/slsa/deploys/66916946993b7c0008a8dc3c
Deploy Preview https://deploy-preview-1083--slsa.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

netlify[bot] avatar Jun 28 '24 17:06 netlify[bot]